Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1566
Views
0
Helpful
14
Replies

Cisco ASA 5510 Active/Standby config

Go to solution
George Rodriguez
Level 1
Level 1

‎10-20-2014 01:34 PM - edited ‎03-11-2019 09:57 PM

I have configured failover using the management port. When I unplug the LAN interface the Primary goes into standby and the stanby unit goes into Primary state.
But when I plug the LAN interface on ASA1 back the Secondary stays as Active UNLESS I unplug the LAN interface o the Secondary unit. Is this normal?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to George Rodriguez

‎10-21-2014 07:25 AM

You're welcome.

Please mark your question as answered if it has been. Rating improves the community quality. :)

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to George Rodriguez

‎10-21-2014 08:23 AM

Yes, that's normal.

Unless you have specifically excluded a configured interface from monitoring (or set a threshold of number of monitored interfaces to trigger a failover), unplugging an interface will result in the line protocol going down and the unit will know that whether or not it has a standby IP address.

View solution in original post

0 Helpful
14 Replies 14

Go to solution
davebornack
Level 1
Level 1

‎10-20-2014 01:37 PM

I'm pretty sure you can't use the MGMT port for failover functions.  

I would recommend that you use LAN-based failover using one of the "inline" interfaces that passes traffic, or if you have enough ports available, configure one just for failover operations.

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-20-2014 03:50 PM

Yes, this is normal.

ASA high availability failover cluster units have no concept of preemption. Whichever unit has been healthy most recently will be active unless you initiate a manual failover to force the system back to the desired state.

@ Dave - yes the management port can be used for failover - as long as you don't want to also use it for management. From the configuration guide:

"You can use any unused interface on the device as the failover link; however, you cannot specify an interface that is currently configured with a name. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface should only be used for the failover link (and optionally for the Stateful Failover link)"

0 Helpful

Go to solution
George Rodriguez
Level 1
Level 1

‎10-21-2014 06:17 AM

That's what I figured on the management port. I combed through the internet searching and most state it can be used. My plan is to use it for both failover and stateful failover. I just wasn't sure about the failback when the primary comes back online.

My setup is using all 4 ports (2 WAN's, 1 LAN, 1 DMZ). Do I need to configure a standby for each interface?

Also, is there any way around not having to force a failback?

Thanks.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to George Rodriguez

‎10-21-2014 06:24 AM

You can run an HA pair without standby IP addresses but the interface monitoring capability is somewhat compromised as the primary unit cannot positively verify the standby unit's is reachable on those interfaces via IP and instead has to rely on the communication from the standby via the failover link that the interfaces are up.

I always recommend you use standby IP addresses if possible. The only times I've not done it is when the available public IP addresses are severely constrained and the client can't afford to give up even 1 address on that interface.

0 Helpful

Go to solution
George Rodriguez
Level 1
Level 1
In response to Marvin Rhoads

‎10-21-2014 06:35 AM

Actually that is an issue right now with one of the WAN's (no available IP's). So if I create only one standby IP for the LAN, one for the DMZ & one for the Primary WAN it will still function properly? What will I lose?

I thought the LAN links going down triggers the failover?
 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to George Rodriguez

‎10-21-2014 06:42 AM

Failover is triggered by any of several things - monitored interface on active peer going down, active peer not reachable, service module on active peer going down, etc.

A failover pair can operate properly with one of the interfaces not having a configured standby IP address. You will lose a slight degree of assurance that the standby peer is "really" ready on that interface since your are relying on its self-reporting that the interface is up with line protocol up.

One can posit scenarios in which that is the case yet traffic will not flow due to IP reachability (e.g., if it was plugged into an active port on an upstream switch and the port was in the wrong VLAN).

0 Helpful

Go to solution
George Rodriguez
Level 1
Level 1
In response to Marvin Rhoads

‎10-21-2014 07:22 AM

Great Feedback. Thanks Marvin!!!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to George Rodriguez

‎10-21-2014 07:25 AM

You're welcome.

Please mark your question as answered if it has been. Rating improves the community quality. :)

0 Helpful

Go to solution
George Rodriguez
Level 1
Level 1
In response to Marvin Rhoads

‎10-21-2014 07:56 AM

Is there any way for the admin for the ASA to be notified when it goes into standby?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to George Rodriguez

‎10-21-2014 08:06 AM

Yes. There is a syslog message created. If you're using an external log destination, you can typically set that up to notify you upon receipt of specified messages.

If you don't have an external syslog server, you can create a logging message list and direct the ASA to email the admin when that list receives an event. You will have to relay via an internal mail server and may need to add the ASA to the whitelist on that server if it's locked down.

Here's a link to the config guide section describing how to set that up on the ASA.

0 Helpful

Go to solution
George Rodriguez
Level 1
Level 1
In response to Marvin Rhoads

‎10-21-2014 08:17 AM

I'll take a look. One last thing (I think), I'm working on this with 2 5510's as I type. I noticed that if I only have the standby IP configured for the LAN interface only (no WAN's or DMZ) and I unplug the WAN's or DMZ the ASA goes into the standby state. Normal?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to George Rodriguez

‎10-21-2014 08:23 AM

Yes, that's normal.

Unless you have specifically excluded a configured interface from monitoring (or set a threshold of number of monitored interfaces to trigger a failover), unplugging an interface will result in the line protocol going down and the unit will know that whether or not it has a standby IP address.

0 Helpful

Go to solution
George Rodriguez
Level 1
Level 1

‎10-21-2014 07:28 AM

No problem

0 Helpful

Go to solution
George Rodriguez
Level 1
Level 1

‎10-21-2014 08:47 AM

again, thanks for the help. I continue to work on this lab to fine tune it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card